Hello,
I use freeradius 2.2.0 (runs on Ubuntu).
I played enough with eap sim, (thanks for examples eapsim-02 - 06).
My goal is to test client + AP but not
freeradius authorization/authentication process.
Ho can I configure freeradius to give success for every user, no matter
what is imsi
Maxim Shoustin wrote:
Can I configure to give OK to any sim based on provider only, like
Orange, for example/
No. The design of EAP-SIM makes that impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote:
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
cisco
, 2013 at 04:27:30PM +0200, Marco Aresu wrote:
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
cisco-avpair
On Tue, Jul 23, 2013 at 03:12:33PM +0200, Marco Aresu wrote:
now i can logon into the switch but i can with all USERS. Where i can
specify who can access to the switch?
I add a rown in the USERS file user Auth-Type := Reject but nothing
change.
The first match wins in users file unless the
now i can logon into the switch but i can with all USERS.
Yes. Because that's how you have configured it. You've set the DEFAULT to
have those abilities. I would recommend reading freeradius resources and buy a
book to discover/understand policies, groups etc
alan
-
List
On Mon, Jul 22, 2013 at 04:44:29PM +0200, Marco Aresu wrote:
here the debug after authentication:
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password secret
[pap] Using CRYPT password
Marco Aresu wrote:
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15,
Is it *exactly
, Alan DeKok al...@deployingradius.com wrote:
Marco Aresu wrote:
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
Hi All
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
cisco-avpair = shell:priv-lvl=15,
When i try to login into a switch
Marco Aresu wrote:
here the debug after authentication:
If you're not going to follow instructions, you shouldn't be posting
questions on this list.
Since you're not willing to post the full debug output here, we can't
help you. Go read it yourself.
i don't understand when he tried to
the only file to edit for the authorization is the Users file?
thanks
Marco
Marco Aresu
On 22 July 2013 17:03, Alan DeKok al...@deployingradius.com wrote:
Marco Aresu wrote:
here the debug after authentication:
If you're not going to follow instructions, you shouldn't be posting
i created two users on freeradius server and when i tried to login with the
new user that is not specify in the USERS file i ve got the same error
Authorization Failed
I think that i am editing the wrong USERS file but the directory is
/etc/raddb/users
Marco Aresu
On 22 July 2013 17:19
Hi,
you sending the wrong attributes or your switchconfig is not correct.
The switch needs for authorization only these two attributes:
Service-Type := Login
Cisco-AVPair := shell:priv-lvl=15
And this is the working aaa config:
aaa new-model
aaa authentication login default group
Brendan Kearney wrote:
i have found this write up:
http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap
but it does not work.
See the FAQ for it does not work. You need to run it in debugging
mode, as suggested in the FAQ, man page, web pages, and daily on this
list.
list members,
i am working on having radius perform authorization based on group
membership in ldap. i am able to authenticate the user using the
kerberos module, and can attach to ldap using the ldap module. what i
would like to do is have a group in ldap that provides a radiusReplyItem
value
Hi, thanx for your reply
i also tried using patch in
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh
but unfortunately,
when i already connect with one device successfully, i try another
device the result another device is
rejected by server
Hi IIiya,
thanx for your answer
i tried to fix syntax error in in users file
and also i tried using patch in
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh
but unfortunately,
the result is same, my first device can connect to internet and
method.
ie authorization stage can check the calling-station-id (MAC address) and,
if not known, just reject. then, if known carry on to the user authentication
by 802.1X
as already said, you have to know what you want and the technologies available
alan
-
List info/subscribe/unsubscribe? See http
Hi list,
I'm searching the best way to configure an authorization based on both Host +
Username ( mschapv2
+ /usr/bin/ntlm_auth) but not Host or Username.
Is it possible to verify host with mschapv2 and if the module return ok proceed
to username
verfication with the same module ?
Thanks
On 24/06/13 12:47, nicolas@ricoh-industrie.fr wrote:
Hi list,
I'm searching the best way to configure an authorization based on
both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host
*or* Username.
Is it possible to verify host with mschapv2 and if the module
nicolas@ricoh-industrie.fr wrote:
Is it possible to verify host with mschapv2
That question has a number of unstated assumptions. Those assumptions
are wrong.
Does the *host* provide mschapv2 authentication data? No. Therefore,
the host can't be verified with mschapv2.
and if
Thanks for your help.
We want two authorization in the same times, for example, to ensure that user
not used his iPhone
with his DOMAIN/UserName account.
Mac Authorization is not a good way for us ( Too restrictive to keep up to date
)
Authorization by certificat too because we have a lot
nicolas@ricoh-industrie.fr wrote:
We want two authorization in the same times, for example, to ensure that
user not used his iPhone with his DOMAIN/UserName account.
That is fairly vague. You're working with computers. Be specific.
WHAT is in an Access-Request when they login using
On 24/06/13 14:09, nicolas@ricoh-industrie.fr wrote:
Thanks for your help.
We want two authorization in the same times, for example, to ensure that
user not used his iPhone with his DOMAIN/UserName account.
Sorry, but that's not currently possible. No EAP method supports it. In
theory
want two authorization in the same times, for example, to ensure that
user not used his iPhone with his DOMAIN/UserName account.
That is fairly vague. You're working with computers. Be specific.
WHAT is in an Access-Request when they login using a desktop?
WHAT is in an Access-Request
Hi,
I'm now sure that the best way for us is MAC Address filtering.
thats a way of doing the 'host' part. the user can then be authenticated
by an EAP method.
ie authorization stage can check the calling-station-id (MAC address) and,
if not known, just reject. then, if known carry
On 20.06.2013 17:56, raptor raptor wrote:
my users format
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D,
EAP-Sim-SRES1 = 0x DD287535,
EAP-Sim-KC1 = 0x 7F743521EBabb000,
EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B,
On 20.06.2013 8:38, raptor raptor wrote:
i just try one client and success but when i use another client and it fails
Post debug log if you want to diagnose authentication failure.
is it correct if i add other client in users and simtriplets.dat?
Yes, you should add auth vectors for all
Hi IIiya,
thanx for your quick response
here is my log debug
rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0,
length=215
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org
NAS-IP-Address = 192.168.2.1
Called-Station-Id =
On 20.06.2013 13:38, raptor raptor wrote:
Sending Access-Accept of id 0 to 192.168.2.1 port 2048
MS-MPPE-Recv-Key =
0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8
MS-MPPE-Send-Key =
0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f
EAP-Message = 0x03760004
Hi, IIiya
i'm sorry my posting above is about one client
first, i connect with one client and it's success
(until Finished request 2 in debug log)
and then in next request, i try with different supplicant/client to
authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to
Hi, IIlya
Thanx for your advice
it works
On Thu, Jun 13, 2013 at 2:47 PM, Iliya Peregoudov iperegu...@cboss.ruwrote:
On 11.06.2013 12:27, raptor raptor wrote:
1.
when i change users entry, i get notification that access-accept has
succesfull
but unfortunately, when i restart the system
Hi,
i have tried with one client and it's success to authenticate and access
internet in wlan
could this test we use multiple clients?
i just try one client and success but when i use another client and it fails
is it correct if i add other client in users and simtriplets.dat?
ex:
On 11.06.2013 22:21, Rodney Machado wrote:
After reading again the documentation, i got to this point:
[skipped]
I'm going to fix the user file and give it a try again.
rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in
control list.
So correct users entry for EAP-SIM
On 11.06.2013 12:27, raptor raptor wrote:
1.
when i change users entry, i get notification that access-accept has
succesfull
but unfortunately, when i restart the system cant access-accept and i
must change attribute in users from agsm program
here the log:
I do not understand clearly whether
On 11.06.2013 7:00, raptor raptor wrote:
i'm sorry i dont understand about LF UNIX line ending, could you show me
what should i do to simtriplets.dat format?
is there any mistake?
Run
dos2unix simtriplets.dat
in UNIX shell. This will ensure simtriplets.dat has UNIX line endings.
i got that
Hi Iliya,
I'm been trying my self EAP-SIM auth for a while, with nothing but odd results.
I'm using FreeRADIUS Version 3.0.0 (git #25b6fdd), in wich the support for
sim_files module have been dropped. I tryied setting the vectors vía the users
file for my IMSI but its not working, I was just
After reading again the documentation, i got to this point:
What's with the commas in the raddb/users file?
Commas link lists of attributes together. The general format for a raddb/users
file entry is:
name Check-Item = Value, ..., Check-Item = Value Reply-Item = Value, . . .
Reply-Item =
On 09.06.2013 5:34, raptor raptor wrote:
simtriplets.dat format that i wite:
1imsi,RAND,SRES,Kc
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
Iliya Peregoudov wite :
1.
rlm_sim_files: insufficient number of challenges for imsi
1510019760806391: 0
++[sim_files] returns notfound
It's strange that rlm_sim_files was unable to find auth vectors.
Ensure that simtriplets.dat has UNIX line endings (LF, not CRLF).
i'm sorry i dont
my simtriplets.dat :
1imsi
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000
On Mon, Jun 3, 2013 at 9:26 PM, Alan
simtriplets.dat format that i wite:
1imsi,RAND,SRES,Kc
1510019760806391,AAC0FAFDC47D4524AC9E2A3D51BDBA39,2A71bac3,7868589a75fdc000
1510019760806391,BF9A9F6EEB36422895D010927D76972C,F49dd880,3Afbcf2fA9b0a000
1510019760806391,C63837CFECD348deB119C35CFECD4898,49312999,FD488938B6f2a000
i add in
Apparently there is an error in simtriplets.dat. Format is
1IMSI,RAND,SRES,KC
RAND, SRES, and KC should be in hexadecimal digits, without 0x
prefix. An even number of hexadecimal digits should be in there.
On 01.06.2013 5:51, raptor raptor wrote:
ASSERT FAILED rlm_sim_files.c[212]: k !=
Iliya Peregoudov wrote:
Apparently there is an error in simtriplets.dat. Format is
1IMSI,RAND,SRES,KC
RAND, SRES, and KC should be in hexadecimal digits, without 0x
prefix. An even number of hexadecimal digits should be in there.
The simtriplets.dat dile doesn't have 0x prefixes in its
Call suffix before sim_files.
The rlm_sim_files module uses canonical username as a key for
searching authentication vectors. Initially canonical username points to
User-Name attribute. rlm_realm module (suffix is an instance of this
module) split User-Name to Stripped-User-Name and Realm and
i have added Stripped-User-Name in sites-enabled/default and also i
disabled suffix module
but, i found like fatal mistake
could someone tell me what i should do to fix this
this is my log
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 2048, id=0,
Hi all,
i have read anything about my problem, but i dont get any idea to solve
in FR i get message like this :
rlm_sim_files: insufficient number of challenges for imsi
i...@wlan.mnc001.mcc510.3gppnetwork.org : 0
[sim_files] returnnot found
it's my log:
Ready to process requests.
rad_recv:
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally
served in raddb/proxy.conf:
# raddb/proxy.conf
realm wlan.mnc001.mcc510.3gppnetwork.org {
}
Then you should add authentication vectors to raddb/simtriplets.dat:
# raddb/simtriplets.dat
# 1IMSI,RAND,SRES,KC
On 30/05/2556 13:44, raptor raptor
wrote:
[pap] WARNING! No "known good"
password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
[pap] WARNING! No "known good"
On 30/05/13 08:16, Iliya Peregoudov wrote:
You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally
served in raddb/proxy.conf:
Better yet, don't use the suffix module; look for the realm and strip
it yourself:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update
On 30/05/13 08:22, EasyHorpak.com wrote:
On 30/05/2556 13:44, raptor raptor wrote:
[pap] WARNING! No known good password found for the
user.Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
[pap] WARNING! No known good password found for the
Hi, Phil
Better yet, don't use the suffix module; look for the realm and strip it
yourself:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
}
See the policy.conf/policy.d and list archives for better regexps for
Hi,
i have added simtriplets.dat and create file sim_files in
/freeradius/modules
and also i configure sim_files in authorize{} in /sites-enabled/default
but i dont use suffix module
so my concern is how to solve this message :
rlm_sim_files: insufficient number of challenges for imsi
hi list,
i'm trying to set one custom attribute during rad_check to use it while
selecting proper vsa in rad_reply.
these are my 4 steps: 1) add custom attribute to the dictionary; 2) get
it set by rad_check, if necessary; 3) modify dialup.conf to pass my
custom attribute to rad_reply [using
Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking to accomplish is to
reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for
authentication).
If I were to search for all none disabled
authorized to use remote access
So then it continues onto the authorization part. How do I get it to reject
if the user isn't found (or user is disabled)?
On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok al...@deployingradius.comwrote:
Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking
Does that filter work when you use it with the command-line ldap
search tool?
[ldap] user XX authorized to use remote access
So then it continues onto the authorization part. How do I get it to
reject if the user isn't found (or user is disabled)?
Use ldap.attrmap, as I said in my
but disabled, or user isn't found at the output (from radius
debug) shows
Does that filter work when you use it with the command-line ldap
search tool?
[ldap] user XX authorized to use remote access
So then it continues onto the authorization part. How do I get it to
reject
On 07.03.2013 22:06, Matthew Ceroni wrote:
Alan:
Yes, that works when run through ldapsearch.
I was able to get the attribute checking working (added to dictionary,
then ldap.attrmap) so I can now reject based on the value of an
attribute. Thanks for the input on that.
However, if the user
I am using LDAP authorization. What I am looking to accomplish is to
reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for
authentication).
If I were to search for all none disabled users using ldapsearch
'stop authorization' in the subject line.
Thanks again.
-Original Message-
From: freeradius-users-bounces+bwedel=cr.k12.ia...@lists.freeradius.org
[mailto:freeradius-users-bounces+bwedel=cr.k12.ia...@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, January 22, 2013 1:22 PM
Wedel Blake wrote:
... What I want to do is setup ldap to authenticate against our Windows 2010
server where the computers are a part of the domain.
AD isn't really an LDAP server. You'll probably need to run Samba. See:
, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'blakegroup' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[ldap] performing user authorization for blake
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding
On 01/15/2013 07:45 AM, Phil Mayers wrote:
Sorry, I've just realised another thing you can try - disable referral
chasing. This is an option on the ldap module - try this:
ldap {
...
chase_referrals = no
}
This solved my problem.
Thank you!
-
List info/subscribe/unsubscribe? See
Can someone help point me in the right direction? LDAP is taking too long to
authorize due to something in my configuration. Keep in mind that I am about as
newb as you can get when it comes to this stuff. I apologize for my ignorance.
Any help would be greatly appreciated.
[ldap] Bind was
On 14 Jan 2013, at 23:35, Tyler Brady tbr...@stc-comm.com wrote:
Can someone help point me in the right direction? LDAP is taking too long to
authorize due to something in my configuration. Keep in mind that I am about
as newb as you can get when it comes to this stuff. I apologize for my
Look. This is absolutely not a RADIUS issue, you need to buy a book on LDAP
and read up on referals, and escaping special characters. Anyone involved in
AAA needs to know about these fundimental protocols, spoonfeeding you
information will not help your understanding of them.
-Arran
On 01/11/2013 10:15 PM, Tyler Brady wrote:
basedn = DC=company,DC=com
Try setting a more specific (longer) base DN. As Arran has pointed out,
you're getting LDAP referrals. Active Directory likes to do this if you
query the LDAP tree from a point above 1 database, even though
On 01/15/2013 07:45 AM, Phil Mayers wrote:
On 01/11/2013 10:15 PM, Tyler Brady wrote:
basedn = DC=company,DC=com
Try setting a more specific (longer) base DN. As Arran has pointed out,
you're getting LDAP referrals. Active Directory likes to do this if you
query the LDAP tree from a
Version 2.1.10
Since adding LDAP authorization, my login time has slowed down quite a bit. It
takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap]
fields and send an Access-Accept. Is this a normal amount of time, or is there
something in my configuration that is causing
On 11 Jan 2013, at 22:15, Tyler Brady tbr...@stc-comm.com wrote:
Version 2.1.10
Since adding LDAP authorization, my login time has slowed down quite a bit.
It takes 4 or 5 seconds longer for freeRadius to get through all of the
[ldap] fields and send an Access-Accept. Is this a normal
On 01/09/2013 08:42 PM, Matthew Ceroni wrote:
It appears that when Windows sends the username it sends it as
DOMAIN\\username.
The \\ causes the 5c to appear in the username. I confirmed this by
using the radtest tool and specifying the username as DOMAIN\\username.
A single \ causes the
). And it authenticates fine.
My problem is on the authorization side in which I am using LDAP to grab
the groups a user is in. In order to authentication against ldap my bind
DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
modify the User-Name or Stripped user name just
] performing user authorization for DOMAIN\usrtest
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - DOMAIN\5cusrtest
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(samAccountName=DOMAIN\5cusrtest)
[ldap
a
WARNING and caused because AD doesn't return the password when querying via
LDAP. So no big deal. It was actually doing what I wanted.
Until things got a little strange.
[ldap] performing user authorization for DOMAIN\usrtest
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second
is on the authorization side in which I am using LDAP to grab
the groups a user is in. In order to authentication against ldap my bind DN
has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
modify the User-Name or Stripped user name just for the LDAP authorization
part so make it DOMAIN
Thank you very much Alan,
for the thorough and concise explanation (it's working!), as well as for
the great job you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stefano Zanmarchi wrote:
Hi,
our Freeradius is working fine with PEAP (NT hash passwords stored in
Openldap).
We'd like to add MAC authorization using Mysql: only people with MAC
contained in
radcheck should have access (provided they also type in the right password!).
So you need
Thank you very much Phil!
exactly what I needed, very well explained.
I just did it the other way round if (reply:Eduroam-Enabled == N)
{ reject }
and it's working fine.
Have a nice day,
Stefano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 20/09/12 13:35, Gregg Douglas wrote:
With this reject command in the authorize section is there a method to
supply a custom reply message?
Sure.
if (...) {
update reply {
Reply-Message = whatever you want
}
reject
}
This is pretty basic use. I think people should be able to
Thanks again, you pointed out a very important issue.
I'll definitively apply one of the two suggested methods to check if
the attribute is present before allowing a user access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
haDirittoEduroam set to Y
(or the other way round: not to authorize users with
haDirittoEduroam set to N).
Below
On 19/09/12 17:03, Stefano Zanmarchi wrote:
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
haDirittoEduroam set to Y
(or the other way round: not to authorize
Hello,
I'm using replicate to proxy my authorization and accounting requests
to a server. I'm curious if it's possible to add some of the auth
reply attributes to the auth proxy before I send it over. That way
the proxied auth has both the request and the reply.
Thanks
-
List info/subscribe
Hi,
Is it possible to split authorization step as follow :
- Considering we want to authorize user using EAP and MAC adresses
- http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
do EAP with one radius server and MAC address auth with another one ?
BR,
--
Emmanuel BILLOT
Emmanuel BILLOT wrote:
Is it possible to split authorization step as follow :
- Considering we want to authorize user using EAP and MAC adresses
- http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
do EAP with one radius server and MAC address auth with another one
Le 13/06/2012 15:14, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
Is it possible to split authorization step as follow :
- Considering we want to authorize user using EAP and MAC adresses
- http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
do EAP with one radius server
, and query that during the authorization phase.
Using unlang yes, but what directive should i use ? Proxy cannot be one
because MAC adresse has no suffix.
If you're just going to proxy requests, you can proxy them anywhere
you want, based on any criteria. Just set Proxy-To-Realm, using the
realm
is for. Put the MAC addresses into a
database, and query that during the authorization phase.
Using unlang yes, but what directive should i use ? Proxy cannot be one
because MAC adresse has no suffix.
If you're just going to proxy requests, you can proxy them anywhere
you want, based on any criteria
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID. The problem is that we cannot find any solution for the Service
Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME
Next time put something in subject so we can know something about your
problem... :)
On 25.4.2012 15:03, Xbert_badstuber wrote:
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID
Hehe, yes i know... :) That became a little bit wrong... ;)
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Re-We-are-using-the-Cisco-ACS-5-3-as-a-RADIUS-for-database-authentication-and-authorization-The-purp-tp5664867p5665034.html
Sent from the FreeRadius - User
Jay Ludlow wrote:
I have a working RADIUS server for localhost lookup, but when I try and
authenticate with my HP Procurve 420 Wireless Access Point using these
wireless connection methods with Ubuntu 10.04LTS:
...
I get the following result:
Found Auth-Type = EAP
WARNING: Unknown value
On Fri, Mar 30, 2012 at 03:52:50PM -0700, Jay Ludlow wrote:
Found Auth-Type = EAP
WARNING: Unknown value specified for Auth-Type. Cannot perform requested
action.
You've got eap in the authorize section of your outer (default)
virtual server, but you've removed it from the authenticate
Take the default supplied config. Add ldap to the authorize section in default
and inner-tunnel, and to the authenticate section of both. Add your AP into
clients.conf. now edit the ldap module to your requirements
That should work pretty much as is
Rinse, repeat. Ie now edit other things to
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for guest
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - guest
[ldap
On 01/26/2012 09:46 PM, Alan Buxey wrote:
Hi,
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
Really? That's my fault then - I had the impression that
Client-Shortname was one of the
if there is no extensionAttribute10 also); But how to get the goal of
granting the authorization for VPN, wifi users accordingly if I use this?
Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
There are many options. You
1 - 100 of 645 matches
Mail list logo
